Ransomeware can be a company’s worst nightmare. It’s not simply “getting a virus” or “clicking on a malicious email.” It is a systematic plan created by hackers to take your private information. Once they have a foothold in your private data, they use their position to blackmail you into submitting a payment. Technology to prevent ransomware has gotten better but attackers have gotten smarter and more methodical.
The reality is there are many ways an attacker can execute malware in your environment. The attacker intentionally chooses ransomware after they spent substantial time inside an environment and determined that it is worthwhile.
Remote access by an unapproved person is a problem – be it from a regulatory, compliance, or governance standpoint. A ransomware attacker is like any other adversary now; they look for a way in, survey their situation, plan an attack, and then they execute.
Oftentimes, this also includes other malware such as Remote Access Tools. When these environments are not using a SIEM to monitor unapproved behavior, they are at risk.
Here is the breakdown of what Sedara continues to run into. If you are using a SIEM – make sure to develop your use cases and alarms. Just because you put a security tool in place, doesn’t mean that it is already configured for your user base and how your specific organization does business.
How a Hacker Attacks Your Business
Step 1 – Find a Way In
Many organizations have VPN credentials with no multifactor enabled. This is an incredibly common, high risk to your organization. There aren’t exactly a lot of advanced techniques here; All it takes is for 1 user to get phished and for someone to figure out the VPN configuration that you use – which is easy to do. If a user logged into your VPN in the middle of the night, would you know it? How long could they be in your network before you figured it out?
Some businesses use a VPN with Multi-Factor Authentication enabled to push notifications for MFA approval. Think you have VPN access covered because you use MFA? We have successfully socially engineered multiple users across many organizations through our penetration testing.
There are many public-facing applications that are not in a DMZ. Cloud environments that are connected to internal networks via VPN might be susceptible.
Step 2 – Establish a Secondary Foothold
Once a hacker has full access to an environment, the last thing they want is to have their hard work go to waste before they can take advantage of it. They set up another way in. This can come in many forms, but here are some that we have seen in practice;
Hackers can set up an internal “Man in the Middle” and wait for an IT person to log into their antivirus system. They change the global policy to whitelist their own remote access tools so that it is observed by their antivirus to be a legitimate application. They deploy to 2 or 3 computers throughout the environment and confirm that they can get in. Now they have multiple ways in, that no one knows about.
Hackers might set up a new VPN user. This is easy to do in most environments and depending on how you use MFA, many environments could allow a new MFA user to be legitimately created. So, there may not even be a violation of internal policy. Are you notified every time a new VPN user is created in your environment? Do you know how many VPN users you are supposed to have?
Another option is for hackers to use a new inbound NAT on a firewall to allow RDP to an internal server, with local credentials; Would you know if this was created? If a new IPSec tunnels to another location; would you get an alert? How long would it take for you to find it?
Step 3 – Plan
Next, hackers find the backup server and see where it writes. This can be a local disk, tape, or cloud backup. Can any of these be deleted, encrypted, overwritten, or removed some other way? Then, they look for other backup jobs. Even if the backups are built well enough to not be a target, a ransomware event can still take down every computer and every server.
Hackers look for the finance and insurance records — and depending on how profitable the company is, they decide how much the ransom payment is going to be. Hackers want to actually get paid, so they aren’t going to ask for a sum of money that their victims can’t pay. They are going to ask for an amount that will allow you to stay in business if you pay it and is cheaper than if you had to recover from their attack without paying the ransom.
They will find out what antivirus you use and then test the ransomware against it outside the environment. Most people that do this know what they are up against once they know what antivirus vendor you use. If it is a traditional AV vendor they will be very happy — it will take 10 minutes to recompile their malware into a hash that they have never used before and they will likely not have any issues getting through. If you’re using a more advanced AV, there usually is a way around it. If you aren’t getting notifications when your AV policies change, you should.
Step 4 – Execute
This is the easy part. Most of the attack will be already scripted and ready to roll. Hackers will know about your business at this stage. Because they know that once someone becomes aware of their process, then the likelihood of it being stopped becomes higher. By the time a 3rd shift person reports the issue, the attackers will be done.
Step 5 – Wait for Payment and Open a Help Desk Line
That is correct. These hackers will respond if you have questions about their instructions or how to act on them. They want their money, so they are happy to provide customer service.
Are You Safe Against Ransomeware?
None of this is hypothetical. These are scenarios that our team at Sedara has actively worked through in the real world.
Choosing security tools is the beginning of the battle. The other 90% is configuring them properly and monitoring them for these situations.
Ask yourself the following questions:
- Do your VPN users typically only work 9-5?
- If one of them connects at 2 in the morning, do you have the ability to disconnect it and disable that account – or at least check with that user if it is a valid connection?
- Would you know if someone made changes to your firewall in the middle of the night?
- If a Remote Access Trojan beaconed out of your environment at any point, could you kill the process and block the destination IP address within a few minutes?
If answered ‘no’ to any of these questions then you have some serious risks to mitigate. If the answer is ‘yes’ to all of these, then congratulations! You are well on your way to reduce the risk to your organization for the long term.
How Sedara Can Help You
These designed attacks show business impact. Sedara provides External (Perimeter), Internal (Assumed Breach), Web Application, and Wireless (WiFi) testing.